CVE-2024-13059

Published Feb 10, 2025

Last updated a year ago

CVSS high 7.2
WordPress
ENL Newsletter

Overview

Description
A vulnerability in mintplex-labs/anything-llm prior to version 1.3.1 allows for path traversal due to improper handling of non-ASCII filenames in the multer library. This vulnerability can lead to arbitrary file write, which can subsequently result in remote code execution. The issue arises when the filename transformation introduces '../' sequences, which are not sanitized by multer, allowing attackers with manager or admin roles to write files to arbitrary locations on the server.
Source
security@huntr.dev
NVD status
Received

Risk scores

CVSS 3.0

Type
Secondary
Base score
7.2
Impact score
5.9
Exploitability score
1.2
Vector string
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security@huntr.dev
CWE-29

Social media

Hype score
Not currently trending

  1. Dragon Drop: NEW Releases ๐Ÿšจ๐Ÿ‰ ๐Ÿชฒ New CVE labs: โ†’ CVE-2024-13059_Attack: https://t.co/8tG1rJv4fo โ†’ CVE-2024-29180_Attack: https://t.co/EAWUSh6HAO โ†’ CVE-2024-8517_Attack: https://t.co/nWJYhe7D7f ๐Ÿงช Other new labs: โ†’ AdminPanel: https://t.co/YdLILs7o8z Drop compl

    @offsectraining

    10 Sept 2025

    3495 Impressions

    4 Retweets

    29 Likes

    7 Bookmarks

    1 Reply

    0 Quotes

  2. In February 2025, a critical vulnerability identified as CVE-2024-13059 was disclosed in AnythingLLM, an open-source framework for building self-hosted AI assistants: https://t.co/vL1moP6MnA This flaw affects versions prior to 1.3.1 and arises from improper handling of non-ASCII

    @offsectraining

    18 Apr 2025

    4479 Impressions

    21 Retweets

    70 Likes

    14 Bookmarks

    0 Replies

    1 Quote

  3. ๐Ÿšจ CVE-2024-13059 ๐Ÿ”ด HIGH (7.2) ๐Ÿข mintplex-labs - mintplex-labs/anything-llm ๐Ÿ—๏ธ unspecified ๐Ÿ”— https://t.co/kqcrVnnZf9 ๐Ÿ”— https://t.co/P49jIwUhPU #CyberCron #VulnAlert https://t.co/xstSrcGJKe

    @cybercronai

    12 Feb 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2024-13059 A vulnerability in mintplex-labs/anything-llm prior to version 1.3.1 allows for path traversal due to improper handling of non-ASCII filenames in the multer library. โ€ฆ https://t.co/Topw1kLbrl

    @CVEnew

    10 Feb 2025

    256 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ma_el_bh_table_btn_text' parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.โ€ขCVE-2026-2486
  2. WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser.โ€ขCVE-2026-26370
  3. The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the Vercel preview domain. An attacker can identify the URL structure of a previous deployment that contains unpatched vulnerabilities. By browsing directly to the specific git-ref or deployment-id subdomain, the attacker can force the application to load the vulnerable version.โ€ขCVE-2025-67846
  4. The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.โ€ขCVE-2025-9501
  5. The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.โ€ขCVE-2025-8085

References

Sources include official advisories and independent security research.